Government’s Cybersecurity Regulatory Framework Expands to Healthcare and Other Industries
Cyberattacks are devastating, especially when they derail real-world critical services like healthcare. An especially troubling attack field is ransomware: In 2022, 66% of U.S. hospitals were targeted in ransomware attacks, an increase of almost 50% from 2021, and 289 hospitals were affected by successful ransomware attack incidents. Healthcare organizations paid the ransom in about 61% of ransomware incidents, the highest rate of any industry. In 2023, the trend continued to rise at an alarming rate, with over 317 publicly reported ransomware attacks levied against healthcare entities. It is now the new normal for hospitals to divert ambulances and cancel elective procedures due to a ransomware attack. Every citizen is a potential patient, and now every patient is grappling with this dilemma.
Should the federal government force hospitals to follow its own cybersecurity blueprint? The United States released its National Cybersecurity Strategy in early 2023, and focused work continues on the strategy’s implementation plan. In this strategy, the Biden administration expressed its support for “legislative efforts to impose robust, clear limits on the ability to collect, use, transfer and maintain personal data and provide strong protections for sensitive data like geolocation and health information.”
Given the recent rise in cybersecurity threats, the administration is considering a proposal that would require hospitals to use multifactor authentication and commit to patching vulnerabilities in a timely fashion if they want to remain eligible for federal Medicare and Medicaid funds. Senior administration officials believe such an approach is key to mitigating cybersecurity incidents. As new regulations will be imposed before the end of 2024, the impact of such funding at the organizational level would depend on compliance. The American Hospital Association recently noted the healthcare industry is likely to fight the requirements being placed on the hospitals since many of the cyber incidents that hit hospitals in the last year originated through third-party suppliers.
A prevailing issue is the disproportionate emphasis on demonstrating compliance with regulations rather than prioritizing more impactful security measures. For instance, the U.S. regulatory landscape is starkly different between national security entities, civilian federal agencies, states and municipalities. The compliance landscape and associated processes also vary immensely from country to country despite the default international operating nature of industries such as healthcare.
Over time, the regulatory framework governing cybersecurity has become increasingly complex, with different jurisdictions and industry sectors adopting varied standards and requirements. Case in point: It is unlikely in the near term for the National Institute of Standards and Technology Cybersecurity Framework to move beyond its current voluntary status. This has led to an unfavorable situation where the goal of achieving genuine cybersecurity, and best safeguarding one’s organization against evolving threats, has taken a back seat to the imperative of satisfying regulatory mandates.
What should organizations with limited time and resources focus on? With the federal government evaluating mandating cybersecurity blueprints, it is worth considering why this dissonance exists and what can be done to achieve harmony across the public and private sectors.
Addressing the increase in U.S. cybersecurity incidents
U.S. federal agencies reported more than 32,000 information security incidents in 2021, according to the U.S. Government Accountability Office (GAO). A public sector cybersecurity survey reports that hackers account for more than half of security threats for government agencies, followed closely by careless insiders.
Top priorities for U.S. agencies are improving investigation and remediation capabilities, and removing barriers to sharing cyber-threat information between public and private entities. Within state and local governments, action remains varied. Several states such as New York and Texas are appointing senior cyber officers. State leaders are taking an "aggressive, nation-leading approach to to transforming our cybersecurity infrastructure to combat emerging threats.”
Increasing equity around cybersecurity
Unfortunately, end users such as healthcare patients often bear the cost of these security incidents. The market does not sufficiently incentivize organizations in the public and private sectors to enhance cybersecurity measures. The resources needed to improve cybersecurity initiatives often fall behind other priorities. Legacy logging architectures and data silos make it difficult for agencies to detect, identify and protect against these threat actors efficiently.
In 2022, the average time to detect and contain a breach was a staggering 277 days. This should be a motivator for boardrooms. As reported in CISO Magazine, a predicted 75% of CEOs will be personally liable for the financial impact due to cyber-physical system attacks by 2024. To mitigate harm to citizens and companies alike, a security-enabled data strategy is imperative.
Creating a level playing field
A mandate for many public sector organizations and their private sector partners is to provide cybersecurity incident reports to a central agency — for example, the Cybersecurity and Infrastructure Security Agency (CISA) — or within their respective systems. The costs associated with data storage and budgetary pressures are common reasons why this is not achieved.
Yet, when these challenges can be unblocked, it democratizes cybersecurity by enabling organizations to access and query security data from a single source of truth to effectively protect against threats. In response to recent cyber incidents, the White House issued an Executive Order (EO) on Improving the Nation’s Cybersecurity. This EO and related subsequent memorandums not only define policy, but also highlight key tenets required to enable the federal government to efficiently investigate and remediate cyber incidents.
A typical network environment has multiple tools collecting and providing telemetry. Previously, these were limited to networking devices such as routers, switches and firewalls. But today we have access to endpoint-detection tools that collect much more verbose information related to processes execution, file and registry modifications, and other user-behavior-level information. Application logs provide developers insight into the health and performance of applications and, for those with a cloud presence, cloud service provider logs allow security teams to audit, monitor and enforce security controls in the cloud.
Implementing changes that could create harmony
In an era marked by escalating cybersecurity threats and vulnerabilities, fostering harmony within organizations and across their ecosystems has become vitally important. Organizations can fortify their collective security posture by leveraging insights from commercial and public sector organizations, and by promoting data-driven best practices. Through collaborative efforts and proactive education, it will be easier to cultivate a unified front against emerging threats, ensuring a resilient and secure cyber landscape.
The necessary changes can be grouped in three main areas:
- Provide insight and expertise to help shape and advance security principles for securing critical infrastructure, as advocated in the National Cybersecurity Strategy.
- Educate security organizations on data-driven security best practices that encourage stakeholders in diverse roles to play a part in efficiently strengthening security posture.
- Democratize threat intelligence and expand log retention across the public and private sectors. At a May 2023 Advanced Cyber Security Center (ACSC) event, Rob Knake, former White House Principal Deputy National Cyber Director, told the audience that industry-specific regulation is coming, explaining it would be aimed at driving up necessary and beneficial standards in the financial sector.
Once organizations are equipped with the security tools and knowledge needed to bolster critical infrastructure defenses, they can foster a more unified and effective approach to cybersecurity that prioritizes genuine security over mere organization compliance.
Learn more about Snowflake for cybersecurity here.